Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
NodejsUndici

15 matches found

CVE
CVEadded 2025/01/21 6:15 p.m.542 views

CVE-2025-22150

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known. If...

6.8CVSS6.4AI score0.00045EPSS
CVE
CVEadded 2023/10/12 5:15 p.m.507 views

CVE-2023-45143

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.header...

3.9CVSS5.5AI score0.00214EPSS
CVE
CVEadded 2023/02/16 6:15 p.m.290 views

CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to nor...

7.5CVSS7.9AI score0.00278EPSS
CVE
CVEadded 2023/02/16 6:15 p.m.278 views

CVE-2023-23936

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to u...

6.5CVSS6.9AI score0.00448EPSS
CVE
CVEadded 2022/07/19 9:15 p.m.195 views

CVE-2022-31150

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issu...

6.5CVSS7AI score0.0017EPSS
CVE
CVEadded 2022/08/12 11:15 p.m.192 views

CVE-2022-35949

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = requ...

9.8CVSS7AI score0.00222EPSS
Web
CVE
CVEadded 2022/08/15 11:21 a.m.182 views

CVE-2022-35948

undici is an HTTP/1.1 client, written from scratch for Node.js.=

5.3CVSS6.4AI score0.00154EPSS
Web
CVE
CVEadded 2022/07/21 4:15 a.m.158 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a...

6.5CVSS5.1AI score0.00151EPSS
CVE
CVEadded 2025/05/15 6:15 p.m.133 views

CVE-2025-47279

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then...

3.1CVSS3.8AI score0.00043EPSS
CVE
CVEadded 2024/04/04 3:15 p.m.101 views

CVE-2024-30261

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

3.5CVSS4.2AI score0.00274EPSS
CVE
CVEadded 2024/02/16 10:15 p.m.98 views

CVE-2024-24758

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarou...

4.5CVSS3.9AI score0.00066EPSS
CVE
CVEadded 2024/04/04 4:15 p.m.93 views

CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

4.3CVSS4.8AI score0.00138EPSS
CVE
CVEadded 2022/07/14 3:15 p.m.78 views

CVE-2022-32210

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain...

6.5CVSS6.3AI score0.00127EPSS
CVE
CVEadded 2024/02/16 10:15 p.m.53 views

CVE-2024-24750

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgra...

6.5CVSS6.2AI score0.00356EPSS
CVE
CVEadded 2024/07/08 9:15 p.m.51 views

CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch() request, response.arrayBuffer() might include portion of memory from the Node.js process. This has been patched in v6.19.2.

2CVSS3.4AI score0.00164EPSS